AWS Amplify Graph API that can be accessed without authorization (login)
Question
I am new to Amplify and I am building a simple list of items (votes) with GraphQL. While the items visibility should be public (read access) without authentication , creating, updating and deleting should be done authenticated via Cognito user pool .
The model can be seen in following AWS Amplify Admin UI screenshot:
I am not able to set the read access to Anyone (since this option is greyed out). Furthermore following statement in the AWS docs puzzles me a bit:
While the API endpoints are publicly reachable, they never allow unauthorized access.
GraphQL API Security with AWS AppSync and mplify
Am I on the wrong track when I want to publish a Graph API with Amplify to the public without authentication? Did I misconfigure my API or is there a way to bypass authentication? Honestly I am not sure if I understand the concept behind this.
For me it is hardly imaginable that only authenticated users can access the API. Respectively I assume there are many other cases (beside my one) where accessing the API without authentication is a requirement.
Thanks in advance for your feedback.
PS: #52601860 seems to be a similar question.
3 answers
solution1
1 2022-02-21 08:24:13
For me, restricting the public access to read operations in the schema file ( amplify/backend/api/<name>/schema.graphql ) was sufficient:
type SomeModel @model @auth(rules: [{allow: public, operations: [read]}]) {
id: ID!
# ...
}
You can check those permissions via amplify status api -acm SomeModel .
Do not forget to provision those changes by running amplify push .
solution2
1 2022-10-11 19:40:08
This is achievable in AppSync. I think what you are looking for is a way to use different authentication mode for different API. So some API like query can be done by any unauthenticated users(ie open to public) while others ike mutation is guarded behind the authentication.
One simple approach would be to enable authentication via Cogntito Identity Pool
Identity pool can be configured with two roles, one authorized role and another unauthorized role. Unauthorized role policy can be updated to, default ALLOW permission on AppSync query endpoint.
Here is a sample guide by Daniel Bayerlein which you can follow to achieve this: https://dev.to/danielbayerlein/aws-appsync-without-authentication-3fnm
It has detailed step and configuration change that is needed.
One more references for your help, in case if you just want to manually update the Cognito identity pool permission manually from AWS console: https://dev.to/sedkis/setting-up-aws-appsync-for-unauthenticated-users-1879
I hope this would be useful. Please feel free to reach out in case if you get stuck. Would be more then happy to assist in your configuration.
solution3
0 2023-01-02 09:11:33
When you evoke authentication I hope you are aware that users can register and be members of Aws Cognito user pools. In this case you can adjust the authentication within your own model the way it's specified in the first answer above or maybe give Groups within Cogito Userpool the right access
ex: { allow:groups, groups:["Admin"], operations:[create,read, delete, update]}
You can let all other Queries accessible to AWS Congnito Users and Groups as well the way you plan you amplify App. Don't forget to check the aws-export.js
"aws_appsync_authenticationType": "AMAZON_COGNITO_USER_POOLS"
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.